A Risk Based Thinking

Model for ISO 9001:2015

What is Risk Based Thinking?

What is Risk?What is a simple Risk Tool?How does it integrate into the ProcessApproach? How do you make Risk Based Thinking aContinual Process Improvement activity?January 15, 2015

2014 QSG, Inc.

ISO 9001:2015 Risk & Opportunities

4.4 Quality management system and its processesThe organization shall establish, implement, maintain andcontinually improve a quality management system,including the processes needed and their interactions, inaccordance with the requirements of this InternationalStandard.The organization shall determine the processes neededfor the quality management system and their applicationthroughout the organization and shall determine:f) the risks and opportunities in accordance with therequirements of 6.1, and plan and implement the

appropriate actions to address them;

January 15, 2015

2014 QSG, Inc.

ISO 9001:2015 Risk & Opportunities

6 Planning for the quality management system6.1 Actions to address risks and opportunities6.1.1 When planning for the quality management system,the organization shall consider the issues referred toin 4.1 and the requirements referred to in 4.2 anddetermine the risks and opportunities that need to beaddressed to:a) give assurance that the quality managementsystem can achieve its intended result(s);b) prevent, or reduce, undesired effects;c) achieve continual improvement.January 15, 2015

2014 QSG, Inc.

ISO 9001:2015 Risk & Opportunities

6.1.2 The organization shall plan:a) actions to address these risks and opportunities;b) how to:1) integrate and implement the actions into itsquality management system processes (see4.4);2) evaluate the effectiveness of these actions.Actions taken to address risks and opportunities shall beproportionate to the potential impact on the conformity ofproducts and services.

January 15, 2015

2014 QSG, Inc.

The Main Objectives of International

Standards To provide confidence in the organizationsability to consistently provide customers withconforming goods and services To enhance customer satisfaction

The concept of risk in the context of the

international standards relates to theuncertainty in achieving these objectivesJanuary 15, 2015

2014 QSG, Inc.

What is Risk Based Thinking?

January 15, 2015

2014 QSG, Inc.

What is Risk-Based Thinking?

Risk-based thinking is something we all do automatically andoften sub-consciously The concept of risk has always been implicit in ISO 9001 the2015 revision makes it more explicit and builds it into the wholemanagement system Risk-based thinking is already part of the process approach Risk-based thinking makes preventive action part of the routine Risk is often thought of only in the negative sense. Risk-basedthinking can also help to identify opportunities. This can beconsidered to be the positive side of risk

2014 QSG, Inc.

What Should I Do?

Identify what the risks and opportunities are inyour organization it depends on contextISO 9001:2015 will not automatically requireyou to carry out a full, formal riskassessment, or to maintain a risk registerISO 31000 (Risk management Principlesand guidelines) will be a useful reference(but not mandated)

January 15, 2015

2014 QSG, Inc.

10

What Should I Do? (continued)

Analyse and prioritize the risks and opportunities inyour organization what is acceptable? what is unacceptable?

Plan actions to address the risks

how can I avoid or eliminate the risk? how can I mitigate the risk?

Implement the plan take action

Check the effectiveness of the actions does it work? Learn from experience continual improvementJanuary 15, 2015

2014 QSG, Inc.

11

Key Points to Remember

Risk Based Thinking = PreventativeActionRisk Based Thinking is everybodysbusiness! Risk Based Thinking is not just theresponsibility of management Risk Based Thinking must becomean integral part of the organizationalcultureJanuary 15, 2015

2014 QSG, Inc.

12

What is Risk?

Risk is the possibility of events or

activities impeding the achievement of anorganizations strategic and operationalobjectives.

January 15, 2015

2014 QSG, Inc.

13

Risk A Simple Definition

The volatility of potential outcomes.orHow surprised do you really want to be??January 15, 2015

2014 QSG, Inc.

14

Food for Thought

Why is Risk like Swiss Cheese?

Author needs to acknowledge that this idea was shown at the NQA Meeting,Boston Session, August 2014January 15, 2015

2014 QSG, Inc.

15

Risk DefinitionsRisk can be defined by two (2)parameters Severity This is the Seriousness of the harm

Probability This is the Probability that the harm will occur

January 15, 2015

2014 QSG, Inc.

16

Risk Assessment - Quantitative

January 15, 2015

2014 QSG, Inc.

17

Risk Acceptable Regions

GenerallyUn-Acceptable

As Low AsReasonablyPracticalGenerallyAcceptableJanuary 15, 2015

2014 QSG, Inc.

18

Risk Assessment - Qualitative

January 15, 2015

2014 QSG, Inc.

19

Risk Registers

January 15, 2015

2014 QSG, Inc.

20

The Importance of a Risk Register

The risk register or risk log becomesessential as it records identified risks, theirseverity, and the actions steps to be taken. It can be a simple document, spreadsheet,or a database system, but the most effectiveformat is a table. A table presents a great deal of informationin just a few pages.January 15, 2015

2014 QSG, Inc.

21

Components of a Risk Register

There is no standard list of components that should be included in the riskregister. Some of the most widely used components are: Dates: As the register is a living document, it is important to record thedate that risks are identified or modified. Optional dates to include arethe target and completion dates. Description of the Risk: A phrase that describes the risk. Risk Type (business, project, stage): Classification of the risk:Business risks relate to delivery of achieved benefit;, project risks relateto the management of the project such as timeframes and resources,and stage risks are risks associated with a specific stage of the plan. Likelihood of Occurrence: Provides an assessment on how likely it isthat this risk will occur. Examples are: L-Low >30%)(, M-Medium (3170%), H-High (>70%). Severity of Effect: Provides an assessment of the impact that theoccurrence of this risk would have on the project.January 15, 2015

2014 QSG, Inc.

22

Components of a Risk Register

There is no standard list of components that should be included in the riskregister. Some of the most widely used components are:

Countermeasures: Actions to be taken to prevent, reduce, or transfer

the risk. This may include production of contingency plans.Owner: The individual responsible for ensuring that risks areappropriately engaged with countermeasures undertaken.Status: Indicates whether this is a current risk or if risk can no longerarise and impact the project. Example classifications are: C-current orE-ended.Other columns such as quantitative value can also be added ifappropriate.

January 15, 2015

2014 QSG, Inc.

23

Risk Registers - Example

January 15, 2015

2014 QSG, Inc.

24

Risk Registers - Example

January 15, 2015

2014 QSG, Inc.

25

Integrating Risk Based Thinking with

the Process Approach

January 15, 2015

2014 QSG, Inc.

26

Purpose of the Process Approach

The purpose of the process approach is to enhance anorganizations effectiveness and efficiency in achievingits defined objectives. This means enhancing customersatisfaction by meeting customer requirements.

January 15, 2015

2014 QSG, Inc.

27

Is This a Process Model in Your

Organization?

January 15, 2015

2014 QSG, Inc.

28

or does your Process Approach look

like this?

January 15, 2015

2014 QSG, Inc.

29

or does your Process Approach look

like this?

January 15, 2015

2014 QSG, Inc.

30

Materials

Measures

Manpower

(With What?)

(Trend Charts)(Metrics)

(Training)(Skills)

ProcessInputs

Suppliers(By Whom)

(Major Elements & Boundaries)

StartEndProcess Owners:

Outputs

Customers(for Whom?)

Risks(What CanGo Wrong?)

Methods

Machine

Environment

(How?)

(With What?)

(Area Conditions?)

January 15, 2015

2014 QSG, Inc.

31

Proposed Risk Model

January 15, 2015

2014 QSG, Inc.

32

Proposed Risk Model - Populated

New Risk Value

Post Action PlansJanuary 15, 2015

2014 QSG, Inc.

33

Food for Thought

Why is Risk like Swiss Cheese?

Author needs to acknowledge that this idea was shown at the NQA Meeting,Boston Session, August 2014January 15, 2015

Did things happen

2014 QSG, Inc.

January 15, 2015

Plan the process

Do Carry out the

process

Check monitor/measureprocess performance

2014 QSG, Inc.

OUTPUTS

Interaction with other process

Interaction with other process

Process + Risk + PDCA Model

38

Management Review Input

Top management shall review the organization's quality management system, atplanned intervals, to ensure its continuing suitability, adequacy, and effectiveness.The management review shall be planned and carried out taking intoconsideration:a) the status of actions from previous management reviews;b) changes in external and internal issues that are relevant to the qualitymanagement system including its strategic direction;c) information on the quality performance, including trends and indicators for:1) nonconformities and corrective actions;2) monitoring and measurement results;3) audit results;4) customer satisfaction;5) issues concerning external providers and other relevant interested parties;6) adequacy of resources required for maintaining an effective qualitymanagement system;7) process performance and conformity of products and services;d) the effectiveness of actions taken to address risks and opportunities (see clause6.1);e) new potential opportunities for continual improvement.January 15, 2015

2014 QSG, Inc.

39

Conclusions Risk Based Thinking is an element in the ProcessApproach Risk Based Thinking is an input to ManagementReview Risk Based Thinking is an element in the continualimprovement process that is focused on prevention. Risk Based Thinking has be be demonstrated duringaudits; a risk register is documented information thatvalidates an organization has done Risk BasedThinking.